MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e9827bdc12c88624681007f776b331d7968b7321e6f47f790b181e416631943. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e9827bdc12c88624681007f776b331d7968b7321e6f47f790b181e416631943
SHA3-384 hash: 8b719cf0970cfc202d753c0f59debe8d7196a3a818c980d869f112d2bfdef98de1385a7b3f68b7cdc84c7e40539cb473
SHA1 hash: 0174058e799141698b744414b16057902afc546a
MD5 hash: 3f2695ef724c6da93359bcc8971c64ee
humanhash: eight-mike-golf-johnny
File name:purchase order 24.5.2021.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:867'840 bytes
First seen:2021-05-24 16:14:42 UTC
Last seen:2021-05-24 17:03:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:xBC7y1lsB4twEHQ6lyOGGHn+SQ9sdnpS:xBC7Gs+/HQ6y+nIsNE
Threatray 1'456 similar samples on MalwareBazaar
TLSH 25059D2C616EF126C1A8C2794AD4443BE590DB377032FD28ECD7279D5729E80BD8627E
Reporter abuse_ch
Tags:exe Neurevt

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
purchase order 24.5.2021.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-24 16:18:25 UTC
Tags:
trojan betabot
Link:
https://app.any.run/tasks/d3e65940-b0e9-4d01-9dbc-6b320e46f811

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790581
Signature
.NET source code contains very large strings
Contains functionality to check if the process is started with administrator privileges
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Potentially malicious time measurement code found
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 422982 Sample: purchase order 24.5.2021.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 57 github.com 2->57 59 avatars.githubusercontent.com 2->59 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected AntiVM3 2->77 79 Yara detected Betabot 2->79 81 10 other signatures 2->81 9 purchase order 24.5.2021.exe 3 2->9         started        13 yytoqzfws.exe 2 2->13         started        15 yytoqzfws.exe 3 2->15         started        17 yytoqzfws.exe 2->17         started        signatures3 process4 file5 55 C:\Users\...\purchase order 24.5.2021.exe.log, ASCII 9->55 dropped 99 Injects a PE file into a foreign processes 9->99 19 purchase order 24.5.2021.exe 4 21 9->19         started        22 purchase order 24.5.2021.exe 9->22         started        24 purchase order 24.5.2021.exe 9->24         started        26 yytoqzfws.exe 13->26         started        28 yytoqzfws.exe 13->28         started        30 yytoqzfws.exe 1 12 15->30         started        32 iexplore.exe 17->32         started        signatures6 process7 signatures8 83 Creates an undocumented autostart registry key 19->83 85 Maps a DLL or memory area into another process 19->85 87 Sample uses process hollowing technique 19->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->89 34 WerFault.exe 11 40 19->34         started        38 schtasks.exe 1 19->38         started        40 iexplore.exe 32->40         started        42 iexplore.exe 32->42         started        process9 dnsIp10 61 k3inveentive.com 27.122.57.229, 443, 49766, 49769 IPTELECOM-AS-APIPTELECOMGlobalHK Hong Kong 34->61 63 192.168.2.1 unknown unknown 34->63 91 Overwrites Windows DLL code with PUSH RET codes 34->91 93 Modifies Internet Explorer zone settings 34->93 95 Tries to harvest and steal ftp login credentials 34->95 97 3 other signatures 34->97 44 UNJJzaCejWqHxWUUWFWECOkq.exe 1 12 34->44 injected 47 UNJJzaCejWqHxWUUWFWECOkq.exe 1 12 34->47 injected 49 UNJJzaCejWqHxWUUWFWECOkq.exe 1 12 34->49 injected 53 8 other processes 34->53 51 conhost.exe 38->51         started        65 github.com 140.82.121.3, 443, 49738, 49739 GITHUBUS United States 40->65 67 avatars.githubusercontent.com 185.199.111.133, 443, 49743, 49744 FASTLYUS Netherlands 40->67 73 2 other IPs or domains 40->73 69 185.199.110.133, 443, 49761, 49762 FASTLYUS Netherlands 42->69 71 js.monitor.azure.com 42->71 signatures11 process12 signatures13 101 Hides threads from debuggers 44->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e9827bdc12c88624681007f776b331d7968b7321e6f47f790b181e416631943/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 16:15:16 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2mcppobfsegerubab7xo2ztdv4wrnzsdzxup54qwga6iftddfbq._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
Neurevt
0f600e10b529dc3af8dabf5aa567598fe6a0c5a373d4f20e9fba390735257bbe
Neurevt
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
Neurevt
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
Neurevt
3149cdb07c535db9316160f19a32b73a31cdd4d5fd6e971518b88d45db52af7d
Neurevt
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Neurevt
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
Neurevt
7e595e94b08c3bbd600f3fe1c310a6eb20b85e0784d4f519e713bb6a5e53446c
Neurevt
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Neurevt
fd616f39100a908d83e019ce7fa00f72aaa791c1f082b688cec80ae6241d5f4e
Neurevt
+ 1'446 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210524-e373qlys1s/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer Protected Mode
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks for any installed AV software in registry
Drops desktop.ini file(s)
Sets file execution options in registry
Modifies firewall policy service
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e9827bdc12c88624681007f776b331d7968b7321e6f47f790b181e416631943

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

Executable exe 3e9827bdc12c88624681007f776b331d7968b7321e6f47f790b181e416631943

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments